3.1. Design of approach to CIR
Recommendation 1. Establish and maintain objectives for CIR
Financial authorities should have clearly defined objectives for incident reporting, and periodically assess and demonstrate how these objectives can be achieved in an efficient manner, both for FIs and authorities.
Financial authorities should review the coverage and appropriateness of the five commonly identified reporting objectives (See Annex A) within their CIR regime. In some cases, a financial authority's CIR objectives may be implicitly contained within broader objectives related to incident reporting, which may be inclusive of, rather than exclusive to, cyber incidents. When defining objectives, financial authorities should, where possible, address commonly identified practical issues and impediments associated with CIR (e.g. reduction in operational challenges). Financial authorities should review their CIR objectives at regular intervals to verify that they remain fit for purpose and are proportionate, and ensure that the information sought in the incident reporting continue to meet the needs of all relevant stakeholders. Financial authorities could also engage FIs to clarify their CIR policy objectives, so that FIs can understand and support those objectives.
Recommendation 2. Explore greater convergence of CIR frameworks
Financial authorities should continue to explore ways to align their CIR regimes with other relevant authorities, on a cross-border and cross-sectoral basis, to minimise potential fragmentation and improve interoperability.